Dr. Maria Tzanou (Lecturer in Law, Keele University)

In October 2015, the Court of Justice of the European Union (CJEU) ruled in the Schrems case that the US Safe Harbor framework did not adequately protect personal data transfers from the EU. The court found that US mass electronic surveillance practices violated fundamental EU privacy rights.

To address this, the European Commission and the US agreed on a new framework called the EU-US Privacy Shield. This framework, announced in February 2016, aims to replace the invalidated Safe Harbor agreement. It includes commitments from the US government on enforcement, outlined in several annexes accompanying the draft adequacy decision. These annexes detail the roles of various US government bodies, including the Department of Commerce, the Department of State, the Federal Trade Commission, the Department of Transportation, the Office of the Director of National Intelligence, and the Department of Justice, in ensuring Privacy Shield’s effectiveness.

Like its predecessor, Privacy Shield relies on US companies self-certifying their adherence to a set of privacy principles. However, it diverges from Safe Harbor by including a section on US public authorities’ access to and use of personal data transferred under the framework. Based on assurances from various US agencies, the Commission concluded that existing US regulations sufficiently limit interference with fundamental rights for national security purposes. The Commission’s adequacy conclusion hinges on four main arguments: the prioritization of targeted data collection over bulk collection, robust oversight of US intelligence activities, the availability of redress avenues for EU data subjects under US law, and the establishment of a new Privacy Shield Ombudsperson to handle complaints independently.

Despite its seemingly privacy-enhancing language, concerns remain about Privacy Shield’s ability to comply with the CJEU’s Schrems judgment. One issue is that the US assurances primarily describe existing legal frameworks and safeguards, with limited changes introduced after the Snowden revelations. This raises questions about the framework’s ability to address the CJEU’s concerns, as the court was likely aware of these existing provisions. Additionally, while the focus on targeted surveillance is positive, the assurances lack acknowledgment of concerns regarding access to personal data content, which the CJEU previously deemed problematic. Moreover, the adequacy decision overlooks the potential chilling effect that data retention for surveillance purposes, even if targeted, can have on individuals’ behavior and their exercise of rights, as highlighted in the Digital Rights Ireland case. Regarding effective judicial protection, the Commission itself acknowledges that existing redress avenues for EU citizens are not comprehensive and face limitations.

The introduction of the Privacy Shield Ombudsperson is a welcome addition, aiming to provide independent oversight and redress for individuals. However, limitations exist. The process for accessing the Ombudsperson is less straightforward compared to national Data Protection Authorities, requiring individuals to go through multiple channels. Additionally, the Ombudsperson’s responses will not confirm or deny surveillance targeting or specify the remedies applied. Lastly, the Ombudsperson’s mandate excludes addressing general claims about the Privacy Shield’s compatibility with EU data protection requirements. These limitations raise concerns about whether the Ombudsperson can offer the robust supervisory guarantees that the CJEU seemingly sought in Schrems.

Another significant concern is Privacy Shield’s conflation of regulations for commercial data transfers and law enforcement access to private data. These distinct issues warrant separate frameworks. While flexible mechanisms for commercial data transfers are crucial, the complexities of online surveillance’s impact on fundamental rights necessitate a more robust approach than mere assurances based on existing US law. Two potential solutions are suggested: the US joining the Council of Europe Convention No. 108, eliminating the disparity between US and EU citizens regarding redress rights, or the adoption of a comprehensive transatlantic framework guaranteeing high data protection standards, transparency, and accountability for counter-terrorism operations (an “umbrella agreement”). However, the current form of the proposed umbrella agreement raises concerns about its compatibility with EU data protection standards, making it an unlikely solution.

A recent leak of the Article 29 Working Party’s assessment reveals difficulties in reaching a consensus on the Commission’s draft adequacy decision. The working party reportedly believes that Privacy Shield falls short of providing adequate safeguards for transferring personal data from the EU to the US, especially concerning intelligence activities.

If the Commission proceeds with the current draft, future challenges before the CJEU, potentially mirroring Schrems (Schrems 2), seem likely.

Photo credit: www.teachprivacy.com